cloudrayhttps://cloudray.wordpress.com
welcome to the land of virtualization!
Wed, 02 Jan 2019 02:11:06 +0000 en
hourly
1 http://wordpress.com/https://secure.gravatar.com/blavatar/3a928b0555bdab2d03e29c3f077cd869?s=96&d=https%3A%2F%2Fs0.wp.com%2Fi%2Fbuttonw-com.pngcloudrayhttps://cloudray.wordpress.com
Part 2 – GRID on Cloud – Azure or AWS?https://cloudray.wordpress.com/2016/09/28/part-2-grid-on-cloud-azure-or-aws/
https://cloudray.wordpress.com/2016/09/28/part-2-grid-on-cloud-azure-or-aws/#commentsWed, 28 Sep 2016 05:47:59 +0000http://cloudray.wordpress.com/?p=2169Continue reading →]]>If you are planning to do some testing and pilot with nVIDIA GRID on one of the two major public cloud providers – Microsoft Azure or Amazon Web Services (AWS), which one would you go for? Answer to it really depends on your objective.

Based on my research so far, it appears to me that Microsoft Azure is a clear cut choice to purchase GPU-optimised cloud compute. Few of the factors (merits) which supports the Azure platform compared to AWS are as follows:

Latest underlying host hardware for the GRID solution

More granular Compute VM options (cores, memory, disk)

Multuple GPU options available – Kepler/Maxwell

Higher CUDA cores

Higher Number of simultaneous H.264 streams Video Encoding

Competitive or lesser pricing for both windows and linux.

To summarize the differences in the platform and configuration between the Azure and AWS cloud offerings, the following tables may be handy checklist to take a quicker decision for your first time customers or otherwise who wants to see the real time performance and user experience:

]]>https://cloudray.wordpress.com/2016/09/28/part-2-grid-on-cloud-azure-or-aws/feed/1cloudraygrid_azure_aws1Part 1 – nVIDIA GRID Offerings – quick referencehttps://cloudray.wordpress.com/2016/09/22/nvidia-grid-offerings-quick-reference-part-1/
https://cloudray.wordpress.com/2016/09/22/nvidia-grid-offerings-quick-reference-part-1/#commentsThu, 22 Sep 2016 09:36:50 +0000http://cloudray.wordpress.com/?p=2101Continue reading →]]>As you may already be seeing lots of information flowing around in the internet around the GRID virtualization solution delivered by nVIDIA, there have been some quick and significant changes (improvements) over the last few years around the GRID virtualization offerings from nVIDIA GRID integration with VMware, Citrix and Microsoft for the Blast Extreme/PCoIP, HDX/3D Pro and RemoteFX protocol respectively, to deliver Graphics accelerated virtual apps and desktops. Per my opinion, out of the three leading vendors, VMware and Citrix have been aggressive in their commitment compared to Microsoft. However it may be aggressive with the introduction of Windows Server 2016 architecture and beyond.

Having said that, I thought why not just put together a quick reference of the three primary GRID Card offerings from nVIDIA, their use-cases, vGPU profiles, licensing and other requirements. This may come handy for the Sales and the Pre-Sales team to basically engage with their customer base to identify the needs of User Experience at its highest quality apart from the graphics intensive apps & desktop virtualization.

Important Note (Disclaimer): Please be aware while reading this that many of the features, functionalities may not have been tested, validated and thus may change from real-time results. Therefore, I strongly recommend you to leverage (as applicable) the official documentation, whitepaper and blogs from nVIDIA, Citrix, VMware and Microsoft or other reliable sources, as there are continuous changes and updates are being released constantly. Few of the important official documentation are listed in the references section at the bottom of this blog.

designed for rack and tower servers, optimized for maximum user density per host

designed for rack and tower servers, optimized for performance

designed for blade servers and converged

Number of GPUs

Quad Mid-Level Maxwell

Dual High-End Maxwell

Single High-End Maxwell

Total NVIDIA CUDA®Cores

2,560 (640 per GPU)

4,096 (2,048 per GPU)

1,536

Total Memory Size

32 GB GDDR5 (8 GB per GPU)

16 GB GDDR5 (8 GB per GPU)

8 GB GDDR5

Max vGPU Instances

64

32

16

Max Power

225 W

300 W

100 W

Form Factor

PCIe 3.0 Dual Slot (rack)

PCIe 3.0 Dual Slot (rack)

MXM (blade)

Board Dimensions

10.5″ x 4.4″

10.5″ x 4.4″

3.2″ x 4.1″

Cooling Solution

Passive

Passive / Active

Bare Board

GRID Licensing Model – Concurrent User (CCU)

Licence Type – Option 1

Perpetual (one-time) + SUMS* (first year mandatory)

Licence Type – Option 2

Annual Subscription – pay as you go (yearly renewal)

License Entitlement

vApps

vPC + vApps (mixed environment)

vWS + vApps (mixed environment)

*Support, Updates, and Maintenance Subscriptions (SUMS) ensures that you have 24×7 access to technical support, along with timely software patches, updates, and upgrades. SUMS is included in your NVIDIA GRID software subscription, but is a required one-year add-on if you choose a perpetual license. NVIDIA GRID K1 and K2 GPUs do not require a license to run vGPU.

Virtual Dedicated Graphics Acceleration (vDGA) Available with vSphere 5.5 and later, this feature dedicates a single physical GPU on an ESXi host to a single virtual machine. Use this feature if you require high-end, hardware-accelerated workstation graphics.

Soft 3D Software-accelerated graphics, available with vSphere 5.0 and later, allows you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical GPU. Use this feature for less demanding 3D applications such as Windows Aero themes, Microsoft Office 2010, and Google Earth.

VMware VMotion Capability: Because NVIDIA GRID vGPU and vDGA use PCI pass-through on the ESXi host, live VMotion is not supported. vSGA and Soft 3D support live VMotion.

Microsoft GPU References

Note: Based on my search online, there are not proper official documentation by Microsoft on RemoteFX, GRID or otherwise. And the blogs are quite old and relies mostly on results gathered from various customer environment and user community.

NVIDIA GRID vGPU enables multiple VMs to have simultaneous, direct access to a single physical GPU, using the same NVIDIA graphics drivers that are deployed on non-virtualized operating systems.

Support for VMware vSphere and VMware ESX using Virtual Direct Graphics Acceleration (vDGA) – You can use HDX 3D Pro with vDGA for both RDS and VDI workloads.

]]>https://cloudray.wordpress.com/2016/09/22/nvidia-grid-offerings-quick-reference-part-1/feed/2cloudrayGRID GPU Profile and Configuration MatrixPlaying with nVIDIA GRID on VMware and Citrix accelerated graphics remoting solutions – Get Started User Guideshttps://cloudray.wordpress.com/2016/09/15/playing-with-nvidia-grid-on-vmware-and-citrix-accelerated-graphics-remoting-solutions-get-started-user-guides/
https://cloudray.wordpress.com/2016/09/15/playing-with-nvidia-grid-on-vmware-and-citrix-accelerated-graphics-remoting-solutions-get-started-user-guides/#respondThu, 15 Sep 2016 08:04:14 +0000http://cloudray.wordpress.com/?p=2083Continue reading →]]>{Firstly, apologies to all the readers for the delay in sharing this through my blog though it is available online. Thought before it disappears online or the URLs goes missing or bad, i should record it in my blog.}

I worked on a GRID project and derived the following attached artifacts during my tenure at Citrix. I believe these documents will be quite handy and useful for someone who is getting there hands dirty for the first time with nVIDIA GRID proof-of-concept, lab setup or for that matter production roll-out.

Important Note: Since these documents were produced more than couple of years back, lot of the product specific terminologies, version, build etc. might have changed. Therefore, do your due diligence to refer to the official online information for relevance and up to date information.

Hmm yeah thats correct, I have come across several deployments in my experience where consultants completely miss to secure the netscaler gateway hosting various services such as Exchange/CAS, ADFS SSON, reverse proxy for several web apps, content switching …..list goes on which are vulnerable to various attacks! Enough said,

With this blog, I share my experience with you on how to efficiently secure NetScaler to score A+ on the security report radar!

Couple of reasons for writing the blogs are:

NetScaler VPX has some limitations around ciphers and hence scoring A+ is a bit tricky

Different build/version of NetScaler requires different ways to obtain higher grades

Unsupported cipher keys such as AES-GCM\SHA2 have been removed from this VPX 11.0 64.34.nc build

Rivest Cipher 4 (RC4) stream cipher has been removed from the cipher suites as it is no longer recommended and have multiple vulnerabilities found recently.

In 2015, there were speculation that some state cryptologic agencies may possess the capability to break RC4 when used in the TLS protocol. IETF has published RFC 7465 to prohibit the use of RC4 in TLS; Mozilla and Microsoft have issued similar recommendations.

Cipher Suites with lower bits such as 112 have been removed from the virtual server configuration.

The order of the Cipher Suites has been rearranged to ensure effectiveness and priorities of each cipher keys

During one of my deployment at a customer site, bumped across this bug around the latest build of NetScaler. Build Version: 11.0 64.34.nc

Under Authentication > Dashboard, the Status will show the error instead of Up/green (assuming that the Firewall rules are in-place/OK):

The issue is seen when you try to add the authentication server/profile, in this case it is LDAP, in the add auth page – when you enter the LDAP bind credentials (with special characters) and perform ‘retrieve attributes’ task, the page refreshes shows up as down invalid admin bind credentials.

Workaround

Use an account with no special characters (I understand this may not be ideal from a security perspective therefore I tried adding the authentication server from CLI and the outcome still is same. Hopefully this should be addressed in the next release of netscaler build)

On a recent customer deployment, I came across this issue where externally, using access gateway connecting to the citrix environment failing, it passed the LDAP authentication stage and then redirection to the backend storefront (LB/server) was not happening, the page simply goes blank (white) with an hour glass.

Environment

Netscaler MPX 5500

Netscaler version 11.0 build 62.10.nCore

Storefront 2.6

XenDesktop 7.6

Configured to use single FQDN for both internally and externally

Findings

On further investigation, found several errors in the event log in the storefront server:

Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols incorrectly appear as enabled by default on an SSL virtual server.
Workaround: Disable TLS1.1/1.2 explicitly on the virtual server.
[# 576274]

Workaround tried however did not work, then called Citrix support and they suggested to perform the following:

Workaround 1

In Netscaler Access Gateway section, under Sessions > Session Profiles > Edit: change the storefront address in the session profiles from https:// to http:// addresses and re-enable the TLS v1.2/1.1

Workaround 2

After trying the option, externally, the page now redirects to the citrix storefront page and enumerates the apps/desktops however the published desktop launches and throws an error status code 1030. Went ahead and disabled the TLS v1.2/1.1 on the access gateway page and all worked OK!

This might be a concern for security centric organisations and may be there is a better and convincing way to handle this scenario.

Conclusion

Lastly, as of at the time of writing this blog, this is a known issue in NS MPX + v11.0 firmware – TLS/schannel errors in storefront and external access fails to connect to backend storefront LB/server. Citrix indicates Mircosoft do not support TLS v1.2 on the windows storefront server and/or some issues with the NS v11.0 (still unknown, hope this get fixed in near future)

In one of my customer site, they are using cloud-hosted videos for their department. Basically, a cloud based video delivery system. The videos are in MP4 and WebM format. There appears to be a problem viewing these videos using Internet Explorer (any version),from within the Citrix environment, however they play as required when using Google Chrome and Firefox. The videos play all OK without any issues outside of the Citrix environment (XenApp 6.5) using IE or any browser.

This indicates that the problem lies within the citrix environment. Somehow due to some policies or something unknown is blocking it to load & play the videos.

Error Message

Error Loading media: File could not be played.

Cause

This error message is generic and be due to several issues such as HDX flash redirection, H.264 codec conversion failure etc. But in this scenario it was due to the following:

Debugging

To reproduce the scenario, follow below steps on any XenApp server directly (RDP’ing):

The page will refresh (reset) automatically with IE 8 engines (don’t close the F12 panel)

Just click on any videos and it should play

Resolution & Workaround

Resolution (for webpage owner/developer)

Configure the webpage to restrict a it to a document mode (8 in this case) supported by an older version of Windows Internet Explorer. You need to consider the x-ua-compatible header, which allows a webpage to be displayed as if it were viewed by an earlier version of the browser. Please follow this MSDN library page titled Specifying legacy document modes for further steps on how to do it. May be it will be good if there can be a separate web-page hosting for Citrix environment, as the site works all OK in non-citrix environment.

Extract from one of the MS page: If you are using the X-UA-Compatible META tag you want to place it as close to the top of the page’s HEAD as possible. Internet Explorer begins interpreting markup using the latest version. When Internet Explorer encounters the X-UA-Compatible META tag it starts over using the designated version’s engine. This is a performance hit because the browser must stop and restart analyzing the content.

The best practice is an X-UA-Compatible HTTP Header. Adding the directive to the response header tells Internet Explorer what engine to use before parsing content begins. This must be configured in the web site’s server. Custom HTTP Headers can be added in Internet Information Server through the management console.

HTTP Headers may also be added to the web application’s response by the application’s code. In ASP.NET custom headers can be added to the response using the AddHeader method. The following shows how to programmatically add the X-UA-Compatible header.

HttpContext.Response.AddHeader(“X-UA-Compatible”, “IE=edge”);

Workaround (for System Admins)

Open the browser in Enterprise Mode instead of the Standard Mode (default). To enable this, you need to configure a group policy (GPO) in Active Directory or in your computer’s Local Policy (if no AD infrastructure in-place). Follow the below steps to configure and enable the policy:

Turn on Enterprise Mode and use a site list

Open your Group Policy editor and go to the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list setting.

To get started with this policy, you need to create a site list using the Enterprise Mode Site List Manager tool which can be downloaded from the Microsoft download page here.

Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager. To add a site to your compatibility list,

In the Enterprise Mode Site List Manager tool, click Add.

Type the URL for the website that’s experiencing compatibility problems, like <domain>.com or <domain>.com/<path> into the URL box. You don’t need to include the http:// or https:// designation. The tool will automatically try both versions during validation.

Pick Enterprise Mode if the site should use the new, modified browser configuration or pick Default IE if it should use the latest version of Internet Explorer.

Click Save to validate your website and to add it to the site list for your enterprise. If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.

On the File menu, go to where you want to save the file, and then click Save to XML.

You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key.

This is how the XML file looks like:

Add the URL of the XML file to the GPO: Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list

You may save the XML file on a webserver (HTTP), network share or locally on any computer/server. As examples:

HTTP location: “SiteList”=”http://localhost:8080/sites.xml”

Local network: “SiteList”=”\\network\shares\sites.xml”

Local file: “SiteList”=”file:///c:\\Users\\<user>\\Documents\\testList.xml”

Once the GPO is applied, ensure you go to each of the XenApp servers and run ‘gpupdate’ to ensure the policy is propagated to the servers.

And in the registry on the XenApp server, you should see the following entry:

To verify the webpage opens in Enterprise mode, launch the IE as a published app and open the video-hosting webpage in question. Go to Tools > F12 Developer Tools, under Emulation tab, you should see the Document mode is set to 5(Default)

]]>https://cloudray.wordpress.com/2015/03/06/xenapp-6-5-cloud-hosted-webmmp4-videos-may-not-work-in-internet-explorer/feed/0cloudrayctx_mp4_1ctx_mp4_2ctx_mp4_3ctx_mp4_4ctx_mp4_5ctx_mp4_6ctx_mp4_7ctx_mp4_8ctx_mp4_9ctx_mp4_13ctx_mp4_12Part 3 : MDM Configuration and Administrationhttps://cloudray.wordpress.com/2014/08/11/part-3-mdm-configuration-and-administration/
https://cloudray.wordpress.com/2014/08/11/part-3-mdm-configuration-and-administration/#respondSun, 10 Aug 2014 22:14:18 +0000http://cloudray.wordpress.com/?p=1987Continue reading →]]>The Part 3 of this MDM blog series is in continuation of the Part 2 where we went through the design and implementation phase.
Configuration and Management for Users, Devices, Email and ApplicationIn Airwatch you have the option to modify the capability of your device (if you choose to enable self service type of administrative tasks to your end-users apart from admins). Below are the type of Roles available on an Organisation or User level→ Full Access (default)
→ Basic Access
→ Custom (you can create a access catalog with selective capabilities that you want your users and/or admins to have, the URL usually will be https://<publicmdmserverFQDNorIPaddress>/mydevice e.g. https://mdm.domain.com/mydevice) Following can be a high-level implementation and administration tasks involved in a MDM deployment: Please note there can be additional tasks based on the specifics of your project such as Intranet Apps, Corporate Data Access/Share etc. Note: The terms and steps may vary depending on the MDM vendor. Before I start to pen down my thoughts, experiences, would like to share a very basic and high-level overview of the User to Device to App Relationship or Management. It may be vary depending on your organisational structure, architecture, design style. In an attempt to represent this with clarity, sharing you this diagram. Hope it helps you in understanding and deployment. Also, note that I may modify this if I think something is missing or needs correction.User Managementº Create Organisation Group (Custom and/or Directory)º Add/Register Users, Device(s) in MDM Console in bulk or one at a time depending on the user-base and demand in your organisationº Create User Group (Custom and/or Directory)Smart Group is mainly used on the application side. It is used when a specific App is pushed via App Catalog to specific user groups.User Group is primarily used on the user level. Specific users are added to user group based on the profile, level of access, security and/or restrictions. And also used in line with the smart group. Users Group is added to specific Smart Group for grant access to specific apps.Device Management using MDM Profiles and Compliance RulesCreate following Profiles based on the level of security to be applied on user or user group-level (For example: HIGH/MED/LOW). For Passcode and EAS, recommended is to have a single profile across of users/groups.º Passcode
º Exchange Active Sync
º Restrictions (mostly device related and telecom/data)
º Compliance Policies (Whitelist/Blacklist)Email Managementº Enable Exchange Active Sync (EAS) in your environment (Enable EAS policy/service in Active Directory domain) for your users.º Restrict/Limit users to specific device(s) (MAC/IMEI/deviceID) and/or specific number of devices (1,2,…n) (This may be optional and is required when your EAS traffic routes from an already existing spam filter engine (e.g. barracuda) and you may want to restrict the new EAS traffic from MDM deployment route through SEG or SMG thus allowing users to enroll to only 1 or 2 devices. This may be experimental as I had some issues during my testing. So please test and ensure it works. Please refer Enable a Device for Exchange ActiveSync for more info on how to)º Email Domain Registration (similar to user addition or device registration in Airwatch portal/environment)º Integrate your email management with vendor provided applications such as the following:→ Email Client – Configuring and accessing corporate emails using vendor email client. (By default, native device email client is used)→ Browser – Opening links in vendor browser. (By default, native device web browser is used)→ Secure Content Locker (SCL) – for opening attachments in encrypted mode within a container. (You may configure unencrypted and opening attachment directly without SCL)Application Management° Add Internal, Public Applications in the MDM Console manager. Most of the applications are either available from App Store or Google Play or Windows Store. Additional specific apps can be imported as SDKs or App profiles.° Either let users control Public Apps using Google Play, or restrict using App Catalog with whitelist/blacklist Apps list/compliance rules.Note/Checklist when Managing Android DevicesNOTE 1iOS Devices are easy to configure and manage compared to Android Devices. Having said that with the introduction of Samsung SAFE and KNOX, android devices are marching towards a sofiscated and secured device in the next months/years to come.Therefore, you may find several restrictions and configuration settings which either does not work or need to configure it with certain services turned on such as background data service, non-market app install allowed, several system services turned on. Google Play needs to be enabled to install public apps managed via MAM solution. Quick checklist you may want to consider while managing android devices:→ Settings > Security > Unknown sources > Allow installation of apps from sources other than the Play Store is checked. (Else third party or non-market app install is blocked)→ Settings > Security > Verify apps is uncheckedNOTE 2 Public Apps when pushed via App Catalog fails to install if Google Play is disabled using policy. Currently, this does not work, therefore you must enable Google Play to install the public apps. In a real-time scenario, you may follow it using one of the following ways:º Enable Google Play in the ‘Restriction’ profile for all users/device platforms.
º Enable Google Play → Install the required Public Apps → Test → Disable Google Play by modifying the ‘Restriction’ profile. (This will be tedious if you need to do it every time an user requests for ‘n’ number of devices).
º Enable Google Play in ‘Restriction’ profile and then configure Whitelist/Blacklist Apps list/compliance policy.
º Create separate ‘Restriction’ profile for specific usergroups who require Google Play and require public apps.In my next part of the MDM series, will share a little more on the services that enables the MDM environment. And also FAQs and Issues/workarounds based on real-time scenarios. Apart from this, also would create a separate blog on AirWatch and XenMobile side-by-side on Architecture, Components, Editions, High-level comparison. Hope I keep the promise Till then…have fun n spread peace n happiness…
]]>https://cloudray.wordpress.com/2014/08/11/part-3-mdm-configuration-and-administration/feed/0cloudrayaw6Part 2 : MDM Plan, Design and Implementhttps://cloudray.wordpress.com/2014/08/11/part-2-mdm-plan-design-and-implement/
https://cloudray.wordpress.com/2014/08/11/part-2-mdm-plan-design-and-implement/#respondSun, 10 Aug 2014 19:58:51 +0000http://cloudray.wordpress.com/?p=1953Continue reading →]]>In Part1 of the MDM series, we talked about the initial phase of the project which includes – Assess your environment, Identify types of users/groups, level of access and the different MDM/MEM/MAM profiles based on the criteria to implement MDM in an on-premise deployment scenario.
In this part, I would like to share the Architecture, Components, Checklist for network/port requirements, firewall rules and lastly the systematic approach to configure and roll-out device and user enrollment with appropriate profiles/rules propagated based on the profile definition. For those who are not aware of the acronyms, please scroll down to the bottom of this blog. The topics that I am unable to cover is MCM, Apple Configuration, Public and Intranet Application configuration and many other ones which may be required in a cloud deployment scenario or in a large scale deployment.ArchitectureThis is a basic on-premise deployment with NO (high availability, redundancy, SaaS) capabilities and with a capacity of upto 2000 devices/users. AirWatch Roles and ServicesBelow table will provide you an idea on your MDM Infrastructure requirement in terms of number of servers, number of Operating Systems (MS OS & SQL Licenses), network/VLAN (generally network layout will be between two zones – Internal/Production and DMZ on the corporate network and public IP/FQDN and CA-signed Public SSL Certificate on the Internet/world side) . AirWatch Software/Components RequirementsBefore you start building the servers, it is always a good practice to know the software and pre-requisite requirements to save time and avoid getting into obstacles at the initial stage. Following table is a snapshot of those basic requirements to get started.AirWatch Network/Port RequirementsThe next in the design/implementation phase is the network/port and firewall requirements to have a seamless communication between the following components:Mobile Device(Internet) → Device ServicesMobile Device(Internet) → Secure Email Gateway (SEG) → Email Services (Internal/Corporate network)Device Services(DMZ) → MDM Database/Corporate Resources (Internal/Corporate network)Below table may provide the visibility and help in defining the network rules in your environment:The MDM related services/components can be installed on a single big server or can be distributed into more than one servers as in our case, the services such as ACC, AWCM can be either installed in DMZ and/or internal network depending on your network layout and choice. CloudMessaging Status URL: https://<mdm.domain.com&gt;:2001/awcm/status
Secure Email Gateway URL : https://<mdm.domain.com>/segconsole/management.ashxwhere, mdm.domain.com is the public FQDN or IP address of your MDM server which users (sometimes admin on behalf of users) connect to from their device to enroll/register the device with your MDM environment.In my next part in this series, will cover the configuration and management of Users, Devices, Groups, Profiles etc. from MDM Console.to be continued…=======================================================================Acronym:MDM = Mobile Device ManagementMEM = Mobile Email ManagementMAM = Mobile Application ManagementMCM = Mobile Content Management
]]>https://cloudray.wordpress.com/2014/08/11/part-2-mdm-plan-design-and-implement/feed/0cloudrayaw1aw2aw3aw4Part1: MDM-Assess, Identify and Get Started…https://cloudray.wordpress.com/2014/07/25/part1-mdm-assess-identify-and-get-started/
https://cloudray.wordpress.com/2014/07/25/part1-mdm-assess-identify-and-get-started/#commentsFri, 25 Jul 2014 16:35:00 +0000http://cloudray.wordpress.com/?p=1896Continue reading →]]>Without any adieu and to put down all that I have in my head right now, let me get started right away In general, there are very limited resources related to an MDM solution online. Most of the vendor related documents are not available publicly, you get access to them by registration with one of them. Having said that, I would like to share my experience with design and deployment of an on-premise MDM deployment i.e. Airwatch. I would try to keep this series as general as possible, however will be specific in terms of examples to Airwatch only. Key requirements for a MDM deployment & use-case in any organisation:# Corporate Device Security and Control# Data Protection, Control and Integrity# Email Security and Encryption (This can be optional for many organisations who already have Email proxy server in-place, so may not add the email secure gateway feature available with MDM. Other ways to deal with this is to either route all email traffic via MDM Email gateway (proxy) or create a (OU) policy on your directory services environment to route mobile device email (incoming/outgoing) traffic via MDM email gateway. This may be an additional administrative tasks and time-consuming depending on your organisation’s security, network and other stakeholders’ agreement/approval).Assess, Identify & Categorise the environment:# Number of Users and categorise them based on Organisational Structure/Hierarchy# Number of Devices which may include Corporate- Dedicated, Corporate-Shared and/or Employee-Owned (BYOD)# Number of Users with Corporate Email Accounts (mostly this will be same as number of users)# Understand Organisational Hierarchy/structure and document your MDM deployment accordingly. Keep in mind to simplify and less-complex while creating MDM organisational groups.# Types of Mobile platforms to be considered as part of the corporate standards – Windows Mobile, iOS and/or Android are the primary and commonly-used platforms in large corporate environment.# Types of Mobile Device Make & Model (importantly, ensure your MDM vendor supports these models/Version etc.) such as Samsung Samsung (Samsung for Enterprise – SAFE)# Existing Blackberry environment – plan and decide on the approach to either integrate with your new MDM solution, run it in parallel/isolated or phase-out and roll-out the MDM as your primary mobility solution.Basic Principle/Best Practices:# As with any deployments – keep the environment as simple as possible.# Create less number of user categories/profiles in terms of their access level, restrictions and compliance rules.# Leverage by creating custom user groups within MDM admin console to delegate and administer user-level access.# Ensure Policies are applied at the root level and avoid applying sub-policies.# Create less number of custom (within MDM Admin Console) or directory (e.g. AD) to avoid complexities.# Always a good practice to use the latest Device Make and Model, OEM versions (e.g. Samsung SAFE v4.0+, Knox, iPhone5/iOS v7.0+ etc.)# Good to list/document the limitations of your MDM solution. (This may be limited from vendor documentation but you are going to find few to considerable limitations post production and over a period of time). Mostly the responses to this limitation may be either supported in the next release, work in progress or may not be supported by OEM/MDM)Design of User/Device Profiles – Categorization and Restriction-levels:# Email and Device Passcode profiles ideally should be same across the organisation. This policy is important from the first level of security perspective. This is like the main entrance of your house. Device Passcode is the gate of your premises and Email security is like the door to your house. Then you have all locks and checks within your house (MDeviceM/MContentM/MAppM so on so forth)# High means Highest Security and Control. It is like All Block and Open upon request/business justification.# Medium means Basic/Core Security plus the MAM-level control# Low means All Open Except Email/Passcode policies in-placeBelow is an sample Profile table which one can use to chalk out the approach for their deployment in terms of security, restrictions, Email, Application and Data:Next Part:In my next part of the MDM series, I’ll cover the design/deployment phase and explain the functions of each feature, components of the solution. I haven’t decided on the number of parts to this series but will know as I write along the way. Architecture (Components, server/network/database requirements)Organisation/User Group ManagementProfile ManagementApplication Management (Public/Internal)
]]>https://cloudray.wordpress.com/2014/07/25/part1-mdm-assess-identify-and-get-started/feed/1cloudray